[Owasp-leaders] Web Application Vulnerability Examples

psiinon psiinon at gmail.com
Wed Dec 22 09:53:10 EST 2010


Hi Stephen,

That was the way I was thinking, although I have no problem with an
app that can provide both :)

While I understand its a lot easier faking vulnerabilities sometimes,
for some reason it just doesnt 'feel right' to me.
However you can sometimes get away without a back end - I've written
SQL injection examples in one JSP page which use an in-memory HSQLDB -
first check to see if the table you need is there, if it isnt then
create it, etc etc
So in this case theres no dependencies on any other services running
and no complicated setup either. Both of which I think are useful.
Happy to provide the examples to anyone whos interested...

Cheers,

Psiinon


On Wed, Dec 22, 2010 at 2:43 PM, Stephen de Vries
<stephen at twisteddelight.org> wrote:
>
> I think this could almost be 2 different projects, one aimed at humans and the other at automated tools.  WebGoat for demo and training as described by John, then another simpler minimal app only for performing regression tests on scanners.  Could even be used as a fit for purpose test for web scanners, where you could develop test cases that typically trip up automated tools but are easy for a human to perform.  No need for a UI or anything fancy, just the bare essentials to see whether the scanner can detect all the variants of known security issues.
> It probably doesn't even need a database on the backend, it can just fake responses specific to the test.
>
>
> Stephen
>
> On Dec 22, 2010, at 3:24 PM, John Wilander wrote:
>
>> 2010/12/22 eric sheridan <eric.sheridan at owasp.org>
>> I'd be interested in this application as well. We really need a modern WebGoat replacement - something using technologies from within the past 5 years :)
>>
>> Thanks for the interest!
>>
>> Is your application 'exercise' based? Open source? Is it at a point where you could have contributors?
>>
>> I've been giving appsec training for a couple years so there will definitely be labs / excersises. Let me try to explain my goals in bullets:
>>       • Demo app. I frequently give appsec talks and always need a demo engine. I want to show clickjacking, CSRF and XSS but also nice solutions such as AntiSamy, double-submit tokens and X-Frame-Options headers – all in a realistic environment with modern tools and frameworks. If the app is clearly a training environment it doesn't suit my demo needs. This is a gap I want to fill which is why it's currently called "OWASP Demo App". This is also the fit with Psiion's requirements – stable, known vulnerabilities to regression test with.
>>       • Training app. I find WebGoat too much web 1.0, too much "hack, not develop", and lacking modern tools and frameworks. My idea is a complete standalone app with labs and training through separate instructions (most probably standalone html pages). So when you look at the app it looks like something useful and nice, not obviously vulnerable or geared towards appsec.
>>       • Sexy for developers. I want the app to use sexy stuff such as CSS3 and good unit testing so when you use it for training there's a goody bag in there to interest developers. I've found that discussing exception handling, logging strategies, the best mocking framework etc really helps during appsec training. It makes developers more confident in you and in the importance of application security since it happily lives alongside other quality measures.
>> I will get it set up at GitHub, document some stuff and then email you so you can check it out. Just remember it's alfa so anything can happen :).
>>
>>    /John
>>
>>
>> -Eric
>>
>>
>> On Wed, Dec 22, 2010 at 8:47 AM, psiinon <psiinon at gmail.com> wrote:
>> Hi John,
>>
>> That would be great :)
>>
>> Is it available now?
>> I'd be happy to help with the development of it.
>> The examples I've done so far are all JSP based, including some using
>> an in-memory SQL db :)
>> I'd also be very interested in using it for the training courses I run!
>>
>> Many thanks,
>>
>> Psiinon
>>
>> On Wed, Dec 22, 2010 at 1:39 PM, John Wilander <john.wilander at owasp.org> wrote:
>> > Hi Psiion (and the rest)!
>> >
>> > I've been working on a joint "New Webgoat + OWASP Demo App" to use for both
>> > training and demos. I used it for my two talks at IBWAS last week. Maybe we
>> > could make it the tool you want?
>> > Java/jsp, Struts 2, JAX-RS, Spring, Mockito, JQuery, Maven, Jetty, IntelliJ
>> > CE etc. Next in line are SQL and NOSQL persistence layers.
>> >    /John
>> >
>> > 2010/12/22 psiinon <psiinon at gmail.com>
>> >>
>> >> Hi folks,
>> >>
>> >> As part of the development of the Zed Attack Proxy I need a simple set
>> >> of web pages that exhibit standard vulnerabilities.
>> >> I know about the example vulnerable apps like Webgoat, DVWA, Gruyere,
>> >> Hackme etc.
>> >> However these are aimed at people.
>> >> I want a set of web pages for regression testing ZAP, so I'd like as
>> >> many examples and variants as possible, ideally with just one example
>> >> per page.
>> >>
>> >> Do any of you know of such examples?
>> >>
>> >> If not then I'll implement them myself (I've already made a start),
>> >> but if anyone else wants to get involved then I'd welcome the
>> >> assistance :)
>> >>
>> >> I guess these examples could be useful to other projects.
>> >> In theory such pages could be used to test the effectiveness of
>> >> vulnerability scanners, although my goal is to develop a regression
>> >> test suite for ZAP.
>> >> They could also be used as a training aid. (Not sure what a specific
>> >> vulnerability looks like in practice? Look here...)
>> >> So does anyone think they should be spun of into a new OWASP project,
>> >> either now or potentially later?
>> >>
>> >> Many thanks,
>> >>
>> >> Psiinon
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> >
>> >
>> > --
>> > John Wilander, https://twitter.com/johnwilander
>> > Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
>> > Co-organizer Global Summit, http://www.owasp.org/index.php/Summit_2011
>> > Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> >
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>> --
>> John Wilander, https://twitter.com/johnwilander
>> Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
>> Co-organizer Global Summit, http://www.owasp.org/index.php/Summit_2011
>> Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>


More information about the OWASP-Leaders mailing list